Quizz
jimpop1998
Chapter2DevelopingInformationSecurityStrategy_InformationSecurityGovernanceSimplified.pdf
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 1/24
2
Developing Information Security Strategy
Mirrors should reflect a little before throwing back images.
Jean Cocteau, 1889–1963
Most organizations today have a vision statement to direct the company
employees to conduct business in a way that meets the overall goals of
the organization. Vision statements are generally very short so that em-
ployees can easily grasp the essence of the strategy and behave in a man-
ner that is consistent with the strategy. This is helpful to determine the
right course of action in absence of a documented policy. Just as the over-
all business needs to have a vision, mission statement, goals, and action
plans, so does the information security program if it is to sustain long-
term viability and be effective in meeting the needs of the business.
What happens more often than not is that a need for information secu-
rity appears one day as the result of an incident, public disclosure of in-
formation, a new law or regulation that must be complied with, or an in-
quiry from a member of senior management that was reading about a se-
curity incident that was experienced by a competitor in the news. This
scenario is depicted in Figure 2.1. What follows is that someone is as-
signed to resolve the incident or come up with what needs to be done for
information security. The individual assigned is usually within the infor-
mation technology (IT) department, as security is usually seen as an infor-
mation technology problem to be solved. The person then takes this as-
signment on, in addition with his or her other responsibilities, and starts
fixing the problem at hand. After a series of small successes and a further
understanding of the scope of information security, the person charged
with addressing information security requests more resources and is ini-
tially met with resistance. A few more projects are taken on, and prob-
lems tackled, increasing the visibility of the security function. In this sce-
nario, the strategy is the result of looking in the rear-view mirror and ar-
ticulating the accomplishments of what has been completed in an attempt
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 2/24
to gain more funds to further more initiatives. Thus, the strategy emerges,
so to speak, and is generated from a bottom-up approach.
Figure 2.1 Incident-driven security strategy approach.
An alternative approach is to perform an assessment of the informa-
tion security practices that are in place by hiring an external firm to con-
duct an objective review, and then creating short and long-term multi-
year plans for addressing the problem areas, concentrating on the areas
of highest risk first as depicted in Figure 2.2. This top-down approach is
beneficial in that it provides broad coverage for all of the domains and
can be established without focusing on an immediate trigger, as in the
bottom-up approach. The top-down approach also takes into considera-
tion the risks of the security areas evaluated, whereas the immediate, bot-
tom-up approach starts by focusing on the issue that is getting the most
visibility at the time.
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 3/24
Figure 2.2 Top-down vision-driven security strategy.
One could argue that using an immediate security incident to spur the
organization into action is not developing a strategy at all and is more
akin to running by the seat of your pants. The reality is that organizations
do not always have the foresight or the knowledge within the organiza-
tion to recognize the role that information security should play within the
business. They may not have an advocate for information security that
can articulate how implementing information security can be good for
the business by reducing costs, increasing market share, creating a com-
petitive advantage, and so on. Imagine also that a security incident is oc-
curring and the person assigned says, “We should create a strategy to de-
velop and implement an information security program to deal with this.”
Using the nomenclature put so well within the book Good to Great
(Collins, 2001), there may not be a seat on the next bus for that individual!
When there are urgent business problems to solve, the first order of ac-
tion is to put out the fire, and then work on the fire suppression equip-
ment and safety procedures, buy fire extinguishers, and so forth. The
same principle applies to security incidents; although they may spur us
into action and get the ball rolling, we must address the immediate issue
at hand first.
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 4/24
A third type of strategy development is by not consciously creating a
strategy at all, as shown by Figure 2.3. Organizations that could be classi-
fied as security unaware fall into this category. They are the organiza-
tions that have individuals performing security functions, however, not
in a premediated manner. Security “happens” within these organizations
as different individuals are assigned the various functions of information
security, whether or not it is called that. For example, the systems admin-
istrator may receive requests for access via e-mail and she provides the
access requested. An individual is responsible for moving source code to
production status within the version control software. The help desk ad-
ministers password resets upon request. Security functions are distrib-
uted across different individuals within the organization without a mas-
ter plan of what should be performed. Risk assessments and reviews of
the latest threats are usually nonexistent in this type of organization.
Plans for upcoming initiatives are sparse and new initiatives are gener-
ated by the next large incident that impacts availability or an unintended
public disclosure.
Figure 2.3 Organically driven whack-a-mole security strategy.
So whatever method has been used to initiate the development of an in-
formation security strategy, whether leveraging the security incident in
the bottom-up strategy or via the preplanned, systematic top-down strat-
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 5/24
egy assessment, or by not consciously creating a strategy, it should be rec-
ognized that all organizations have one. The more planned the strategy is,
the more likely that the strategy will be one that meets the needs of the
business and is properly aligned with the business strategy. The uncon-
scious strategy has a relatively slim chance of meeting the needs of the
business, as security events tend to drive what the security response will
be versus a thought-out plan for the future. Few companies can afford to
take risks without knowing the risk that they are assuming by doing noth-
ing (more about information security risk assessment is covered in
Chapter 5 about risk management). The chance that an unconscious ef-
fort will address each of the information security domains prior to when
they are needed in a proactive manner is like spinning the roulette wheel
to determine what the next business strategy would be.
The rest of this chapter will focus on the top-down or bottom-up strat-
egy development approach as viable alternatives for developing an infor-
mation security strategy. Although each organization will vary in the ar-
eas that are of most importance, the subsequent sections provide some
areas that need to be considered when developing the strategy. Failure to
do so can cause the information security program to be out of touch with
the needs of the business and not in alignment.
Evolution of Information Security
No security book would be complete without recognizing how the com-
puting environment has changed from the early days of the mainframe to
distributing computing to personal computers to laptops to smart phones.
Rather than exploring the laborious details of the challenges that each of
these environments provided, suffice it to say that the number of plat-
forms have increased and the data has moved further away from the data
center “glass house.” We are having to protect information that is more
accessible in more ways by more people than ever before. The quantities
of information desired are also staggering. Even with the proliferation of
information and the complexity of the environments that house this in-
formation, information security as a whole is still regarded as an IT issue
that involves the creation of user IDs or accounts, and issuance of pass-
words. That’s it. Although it is important to get the security administra-
tion, identity management, or access management correct, that is only
one piece of the information security program. The various functions that
must make up an information security program are explained in detail in
the security management chapter (Chapter 3). When developing any in-
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 6/24
formation security strategy, it is important to understand that the com-
mon view of individuals within the organization may be that the security
staff’s role is limited to the issuance of user IDs and granting access.
There may be an education process necessary prior to engaging individu-
als in the development of an information security strategy or the focus
may center on the traditional security administration functions.
Organization Historical Perspective
Before developing the security strategy, the person responsible for devel-
oping the strategy needs to understand the organization’s past experi-
ences with information security. Organizations tend to have long memo-
ries with projects that failed and relatively short-term memories with
projects that were successes and had little visibility. If the previous secu-
rity officer implemented a strategy that failed, possibly evidenced by
their short tenure or abrupt departure, then it would behoove the new se-
curity officer to informally obtain what some of the issues were and the
approaches attempted to solve them. This does not mean that the same
approach would not work by a new person with additional management
support or attempted under a different set of new circumstances, but the
reasons should be uncovered as quickly as possible. Failure may have
been due to not enough resources applied, lack of available technical ex-
pertise, failure to communicate project vision, lack of management sup-
port, and so forth. Alternatively, it may have had more to do with clashes
of personality of the individual responsible for the implementation utiliz-
ing an autocratic approach versus a collaborative approach.
Fear, Uncertainty, Doubt, Fear, Uncertainty, Doubt
One reason that the predecessor’s information security strategy may not
have been well received by the organization was that the security officer
utilized the fear-uncertainty-doubt cycle. It works like this:
Step 1—A security incident occurs that gets (unwanted) management attention.
Step 2—The security officer indicates what a large problem this is and requests a large
amount of funding to implement new controls, hire more resources, and so forth to
fix the problem. This is usually the response to a senior executive’s question of,
“How can we prevent this and ensure it does not happen again?”
Step 3—-The security officer implements the solution and all is well ... until the next
time the same event happens.
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 7/24
Step 4—Repeat steps 1 through 3. The security officer indicates that there is new tech-
nology that will reduce the risk even further.
Step 5—A new incident occurs, and the same process is followed again.
What is wrong with this model? Many security officers will echo the
sentiment, “There is nothing like a good incident.” Although it is true that
the first incident raises the level of awareness and importance that ade-
quate controls be in place and many times does provide the necessary
funding, the problem is the second, third, and fourth time the “sky is fall-
ing” message is given, Chicken Little tends to get little additional funding.
The response from senior management is more likely to be to find a way
to prevent the issue from reoccurring with the resources that have al-
ready been provided. The reality is that the fear, uncertainty, and doubt
message tends to dissipate over time and is not effective. It is much more
effective to have a security strategy roadmap that provides concrete en-
hancements to the business to deal with the threats facing the
organization.
Understand the External Environment
Companies work within the context of a much larger environment and
are subject to external circumstances beyond what is created by them.
These include the regulatory environment, strategies of the competitors,
being aware of the emerging threats, knowing the cost structures, and
leveraging the external independent research that is available.
Regulatory
Each organization should understand the regulatory environment within
which it participates. Is it a publicly traded company subject to the
Sarbanes–Oxley rules? Does it maintain protected health information
(PHI) and subject to the Health Insurance Portability and Accountability
Act (HIPAA)? Does it serve customers in one of the 40-plus states that have
enacted security incident notification laws? Are they processing credit
cards and subject to the Payment Card Industry Data Security Standards
(PCI DSS)? The regulatory environment will drive security rules that have
been mandated for the particular public or private sector.
Competition
Most boards of directors want to know how the security strategy and in-
vestment compares with the strategy of their competitors. The objective
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 8/24
in many companies is to spend no more and no less than that of their
competitors, unless security is seen to provide a competitive advantage
that is worth the additional investment. It can be very difficult in practice
to ascertain what the competitors are actually spending on information
security, as this information is not generally shared. Companies may dis-
cretely obtain information from social media websites (e.g., job profiles
on LinkedIn articulating current function and activities for individuals in
security roles) or from attendees at conferences. They may also have in-
formation from other employees that were hired away from competitors.
Intelligence, whether formal or informal, is obtained at some level by an
organization, hopefully through ethical means, to enable the organization
to differentiate their products and services to obtain a competitive
advantage.
The reason organizations prefer to spend the same amount on informa-
tion security as their competitor is that an organization must allocate
funds across the different business units in a way that maximizes prof-
itability. Spending more on a function such as information security, which
is traditionally viewed as an overhead cost (i.e., does not increase rev-
enue), would normally be viewed as money that is not available to grow
the business. This assumption makes security investment a hard sell in
most organizations; however, being able to articulate competitor invest-
ments in developing the strategy is one way to garner support for the
strategy. This is especially true if the competitor will be using this knowl-
edge to bid on or obtain new business that the company is also pursuing.
Spending the same amount in this context provides the board of directors
the comfort that it are not overspending, while at the same time, provid-
ing the comfort that it is exercising due diligence in funding the security
efforts. If a security breach occurs in the future and the company is sub-
ject to external governmental review or a lawsuit, the board can provide
justification that it spent an appropriate amount on information security
given the business climate in which the company operates.
Emerging Threats
Many information security threats are common across industries in that
they represent vulnerabilities to generally available software.
Vulnerabilities in Microsoft Office or the latest vulnerability found within
Adobe Reader represent opportunities for the hacker to exploit the code,
irrespective of the industry in which the company resides. The ability to
exploit the opportunity has more to do with how widespread the technol-
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 9/24
ogy is used within the organization and the manner by which defense-in-
depth strategies have been deployed to protect the information assets.
The strategy needs to consider the emerging threats in building the se-
curity strategy. As discussed further in Chapter 5, certain types of infor-
mation will need more protection focus than others and will need further
protection strategies. For example, an organization that processes credit
card information or handles social security numbers, will want to know
where that information is located via the data classification activities.
This information is more likely to be the subject of a targeted attack and
will need to be protected appropriately.
Technology Cost Changes
When developing an information security strategy it may appear that the
costs for a particular solution may be cost prohibitive when the strategy
is initially developed. Since technology costs are continually dropping
due to competition, increasing technology advances, impact of mergers
and acquisitions, and by companies trying to increase market share, once
a security strategy is put in place, the initial cost assumptions should be
revisited. For example, it was not uncommon for database administrators
to be reluctant to implement logging of the database servers due to the
perceived impacts to performance and the requirement that large
amounts of disk space be used. As recently as the mid-1990s, the cost for
this disk space could easily run into the millions of dollars for a few ter-
abytes of storage. Today, we know that the local electronics or office sup-
ply store can provide the same storage capacity for less than $50. Thus,
the cost of implementing a logging and monitoring solution today involv-
ing terabytes of information would not be nearly as expensive and should
be part of the strategy for an organization with the appropriate
resources.
External Independent Research
Organizations such as Gartner, Forrester, The Burton Group, and others
are valuable sources for product evaluations, emerging strategies, and
emerging trends. These organizations provide predictions, typically 2 to 3
years out, of what vendors and products are leaders in their field. They
also provide a vast amount of information on the products themselves
and how they may fit into the security solution. Organizations do not
have the funds to research all of these products themselves, even through
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 10/24
a request for proposal (RFP) process. RFPs can yield a great deal of infor-
mation for a given security business need, but at the same time require
significant resource time to adequately send out the requests, evaluate
the responses, score the responses, hold vendor presentations, and make
a final selection. RFPs are good vehicles if the organization has the time
and resources, or is narrowing the selection of an expensive long-term so-
lution. The external independent reports can serve as input into jump-
starting the RFP process, or in less expensive solutions, quickly provide a
cost-effective path toward product selection.
The Internal Company Culture
The company external environment is clearly important to information
security strategies, as they represent how the world is interacting with
our organizations. The internal company culture has a great impact on
how successfully our security programs will be received. Although it
would be nice to be able to copy another organization’s security strategy,
implement the strategy in ours and call it a day, unfortunately no two or-
ganizations have the same “norm of operation” and a security strategy
that may work for one company may not work for another. The following
are areas to give some thought to. It may not even be readily apparent
how the organization is operating and may need the perspective of sev-
eral individuals at different management and end user levels to achieve
an accurate assessment.
Risk Appetite
A community banking organization may have a low risk appetite and will
tend to make very risk-averse decisions. A small credit union, for exam-
ple, may wait until the technology is well developed or many other com-
panies have embraced the technology before committing to its use.
Establishing an Internet banking presence in the early days, for example,
was only embraced by the large banks with sufficient resources to com-
mit to the technology, thus minimizing the risk. Today, even small organi-
zations have embraced the online banking technology as a business im-
perative. The risk is perceived to be less when the application has been
installed by several hundred banks and supported by a software vendor
with the ability to spread the security development costs over multiple
customers versus building the application with the limited resources of a
single small credit union.
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 11/24
Risk-averse organizations will tend to have more rigid rules for infor-
mation security and less likelihood to grant exceptions. On the other
hand, innovative organizations promoting creativity or research will tend
to allow more creatively. Users may be allowed to purchase and down-
load designer or specialized software on their machines that a more
structured environment would not allow. For example, a company such
as Apple that is very innovative would be more permissive internally to
promote creative expression than a pharmaceutical manufacturer would
be with those engaged in tracking product shipments. This is not to say
that one organization cares about security and the other does not, as both
are concerned about the protection surrounding intellectual property
within their companies. What differs is the internal approach to informa-
tion security and securing the information in a way that provides security
that is consistent with the culture, business operations, and management
direction, and at the same time provides an adequate level of protection
from unauthorized users.
Some organizations view new technology like oil wells and are willing
to invest the money in multiple initiatives knowing that several will fail,
understanding there will be one that is successful and will make up for
the others. These organizations have the ability to invest larger amounts
because they can spread their costs across many more users, systems, or
products and services. If the solution does not turn out to be effective
within a few years, the same organization will invest funds to replace it
with a better solution. The smaller organization is more likely to select a
product that will last for a longer period of time, and live with or incre-
mentally enhance the usage of the product.
Speed
Organizations move at different speeds, some acquiring one business and
then acquiring another before the first acquisition is fully implemented.
A major airline published its new innovative sales promotions in the
newspaper about 3 weeks prior to when the IT department needed to
have the systems available for processing the new promotion. Several
programmers made sure they read the ads in the newspaper each day so
they could be aware of what the marketing department was selling. This
strategy was done to ensure that the promotion was kept under wraps
until absolutely necessary so that the competition did not find out. This is
an example of an organization working with lightning speed. How long
do projects typically take? Weeks? Months? Years? An 18-month imple-
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 12/24
mentation will not be very well received in an organization that typically
implements initiatives in a 3-month timeframe. The security strategy
needs to mirror the speed culture of the organization.
Collaborative versus Authoritative
Organizations structured in a command-control-type organization where
the subordinates are expected to follow the directives of their immediate
supervisors tend to operate in an authoritative manner. Individuals may
be encouraged within the organizations to suggest improvements to exist-
ing practices or suggest new processes; however the decision-making au-
thority resides within the superior manager and is pushed down through
the organization. Security policies and procedures are introduced via di-
rectives and established at higher levels within the company.
Alternatively, collaborative organizations tend to request input and more
discussion prior to the decisions made. Decisions are made collectively by
a team or steering committee to achieve consensus on a particular direc-
tion. Security councils are very well received within this type of organiza-
tion, and security policies are less likely to emerge solely as directives
from one department.
Knowing who are the individuals in an authoritative structure whose
opinions shape most of the company actions and plans would be benefi-
cial. Time would be well spent with these individuals early in the strategy
planning process to get them behind the strategy. In the collaborative or-
ganization, the senior executive may be looking for clues that opinions
were solicited from others within their organization before they will
agree to the strategy.
Trust Level
An organization with low trust levels is a very difficult organization to
work within, as it is unclear as to whom the message needs to be commu-
nicated to for it to be effective and who is ultimately in control. In this
type of organization, it may be necessary to increase the number of stake-
holders that need to accept the security strategy. By garnering broader
support it will be harder for a single individual acting on his own to un-
dermine the security strategy. Trust level can be evaluated by matching
the statements made and the actions observed. Two-way trust is obvi-
ously preferred to exist at the beginning of strategy development.
However, the security officer may have to take the first step by imple-
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 13/24
menting projects within the committed timelines and functionality
promised to build the trust over time.
Individuals may also have hidden agendas related to their own ad-
vancement that the security officer should be conscious of. If a security
strategy is viewed as adding time to a project that the individual is re-
sponsible for implementing, or it is perceived that the project may not
meet the deadline as a result of a new security policy, the individual may
not fully support the implementation. The worst case may come when the
manager appears to support the security initiative publicly, meanwhile
does little to advance the effort. The manager could also not like the con-
straints that security places on operations, not like structure, or may have
been dissatisfied with the length of time it takes the security department
to onboard a new employee. Whatever the reason, it is important to un-
derstand which individuals are advocates for the security program and
which individuals will serve as detractors.
Growth Seeker or Cost Cutter
Stocks can be classified in many different ways, such as large capitaliza-
tion stocks (greater than $1.5 billion revenue), small capitalization stocks,
domestic, international, or by the sector or industry in which they oper-
ate. Stocks are also classified as to whether they are considered a growth
stock or a value stock. A growth stock is one in which there appears to be
significant opportunities for the stock to grow in the future. These stocks
typically represent either new start-ups or innovative established compa-
nies with product ideas that have not reached their full potential. Value
stocks are those stocks where companies are perceived to be worth more
than their book asset value, but for some reason, have been beaten down
by the market and are now out of favor. These stocks are purchased in
the hopes that someday the negative events pushing down the stock price
are changed and the stock will rise in value.
All companies want to increase revenues and cut costs. The distinction
that is important here is that growth companies tend to invest more
money than value companies in future product development and are
more likely to embrace a growth security strategy that projects initiatives
into the future that may not have immediate payback. Value companies,
on the other hand, may be out of favor and are looking for significant cost
reductions to increase the stock value. Projects may be cut and layoffs
may be the norm to regain financial viability. If an organization is in cost-
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 14/24
cutting mode, and the security officer suggests a project with a large fi-
nancial commitment with a payoff several years into the future, this may
be embraced by a growth-oriented company that is willing to take the
risk, but not by the value-oriented company that is searching for new
ways to cut costs. There needs to be an immediate or short-term payback
to gain the support of leadership with the cost-cutting company.
Company Size
Large companies tend to be more willing to invest in more initiatives as
noted earlier, in large part because the total impact to the budget of the
organization will be less when initiatives do not work out as anticipated.
In other words, larger organizations have the ability to hedge their bets.
On the flip side, larger organizations are sometimes more bureaucratic,
with more buy-in and management approval necessary before the initia-
tive can move forward. Security strategies need to take this into account
when establishing timeframes for implementation. Whereas a smaller or-
ganization may readily accept a contract from a vendor without challeng-
ing it due to the lack of legal support or leverage with the large vendor, a
large organization may require a couple of months to move the contract
through the legal process. Similarly, a small organization may not need
the level of documentation that a large organization may need to conduct
business. For example, a small doctor’s office with an office staff of two
people may not need as formal of a termination process ensuring that the
keys to the office are changed versus a large organization of 100,000 em-
ployees that would need card access systems and documented proximity
badge collection policies, recertification policies, and new badge issuance
policies. The small organization still needs to address each of the security
domains within the security strategy. However, the degree of definition,
documentation, and approach to satisfying the domain will be vastly
different.
Outsourcing Posture
The security strategy should consider the company’s inclination to out-
source functions or processing. What has been the history of the com-
pany? Is someone else currently providing the IT services for the organi-
zation? Is processing occurring outside of the United States? The out-
sourcing posture has implications not only for how the security organiza-
tion should be managed as a function (employees, contractors, or out-
sourcing of pieces of the security function), but also for the controls that
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 15/24
must be put in place for information assets being processed by another
company or beyond our borders. If the cost savings are significant or if
the quality of work is viewed to be superior to the work that could be
done internally, the security strategy must be written to incorporate con-
trols that make the processing feasible. Quite often, the outsourcing deci-
sions are made at a very high company level with limited detailed input
of costs at the time of agreement, as they tend to be kept very confiden-
tial. Few individuals are in the loop at this juncture.
The security strategy needs to ensure that contractual obligations are
established and it is clear how the external functions will be managed.
Take the case of outsourcing the server support to an external company.
The question that should be addressed by the security strategy is who is
responsible for the disaster recovery of the information if it is lost. Is the
outsourcer responsible for maintaining and testing backup tapes on a
regular basis? Is there a hot site in the strategy or is there redundant
hardware supported by the outsourcer? There is nothing inherently
wrong with outsourcing functions, where it typically goes wrong is when
expectations are not clear. Finding out that the outsourcer only retains
backup tapes for 1 month when the security strategy indicates that the or-
ganizations servers are recoverable for a period up to one year could
cause an unwanted issue for the organization. Without the proper strat-
egy and agreements in place, such as service level agreements, the lack of
backups beyond 1 month may not be discovered until there is a need for
recovery of critical information, a point that would be too late and could
have been prevented by creating the appropriate security outsourcing
strategy.
Prior Security Incidents, Audits
Evaluation of the prior security incidents can be of great value in devel-
oping an information security strategy. Did an end user leave a box of
confidential information in his car with the engine running, only to have
it stolen? Did an executive share her password with her administrative
assistant so she could access her e-mail? Was the business strategy sent
unencrypted across the Internet? Was a misconfig-ured firewall responsi-
ble for an external party using the mail server to send spam? Did a re-
view of external background checks by the contracting company reveal
that only 5 out of 25 background checks occurred? Incidents provide a
wealth of information as to what actions are not being performed within
the company. Security incidents are like mice—where you see one, you
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 16/24
must have many more that are not seen. The question to ask when build-
ing the security strategy is, Do I have a stated control in place, as evi-
denced by the existence of a policy, procedure and implemented activity
which serves to mitigate or reduce the likelihood or impact of this event
occurring? If the answer is no, then this item needs to be included in the
security strategy. The tendency to evaluate how important an incident is
by the number of occurrences should be avoided, as there may only be
one incident, but the potential impact may be large.
Internal and external audits also provide significant knowledge as to
the process breakdowns within an organization. For instance, companies
may do a very good job in documenting the policies and procedures, but
may do a very poor job of executing them. Is the problem one of commu-
nication (awareness)? Is the problem due to shortcuts taken to implement
a new system or change a system by the weekend? Is the problem one of
misinterpretation? Or is there a personal disagreement with the standard
or lack of supporting technical controls to support the policy? Audits
should be reviewed and unresolved findings should be used to enhance
the security strategy. Previously resolved findings can also provide input,
as an issue may have been resolved by a quick fix to remove the finding,
but a better long-term solution may be warranted and should be reflected
within the security strategy.
External audits may or may not provide recommendations to mitigate
the audit issue depending upon the nature of the audit (some firms will
not provide recommendations in the post-Enron era as this may be
viewed as a conflict of interest as it could possibly be viewed as providing
consulting services). If they are providing an attestation of the controls,
they are not supposed to provide advice. However, many auditors will in-
formally be willing to provide their opinions outside of the formal writ-
ten report as to what types of actions would have made the situation be a
nonissue and not result in a finding. This information can be very valu-
able in constructing the strategy, as the auditors are exposed to many dif-
ferent solutions across industries and companies.
If the organization is in the business of contracting work to other orga-
nizations, the government, or a parent company, other formal reviews of
past performance should be reviewed. Reviews of past performance may
include metrics such as quality, timeliness, meeting project deadlines, and
so forth. These reviews can highlight areas where information security
may be able to help. For instance, if there are delays in the early morning
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 17/24
call center availability due to virus scans starting at undesirable times,
the information security strategy could examine methods to shift the run-
ning of the scans, reduce the time of the scans by allocating more hard-
ware or faster desktops, or examine alternative products for deployment.
Security Strategy Development Techniques
Specific information security strategy considerations for each of the in-
formation security domains are noted in the appropriate security control
determination chapter for the primary managerial (Chapter 8), technical
(Chapter 9), and operational (Chapter 10) controls. These provide some
insight into the questions that should be asked to formulate the informa-
tion security strategy. Following are some of the techniques that can be
used to develop the strategy specific to the company.
Mind Mapping
Mind mapping (Buzan, 1996) is a very powerful technique to extract
thoughts out of different individuals and subsequently organize those
thoughts. Mind mapping encourages the free flow of thought and orga-
nizes these thoughts together. The greatly simplified process works ac-
cording to the following steps:
1. The topic is drawn in a circle in the center of a flip chart for a group or
on a piece of paper if done individually.
2. Lines are drawn outward from the circle in a spider-like fashion to rep-
resent the main thoughts. These lines are labeled with the thought.
3. Thoughts come to people’s minds from the main spokes drawn in step 2
and are added as smaller perpendicular lines from the main spokes
and labeled.
4. This process is repeated, drawing more perpendicular lines or
branches from the prior lines until the majority of the thoughts around
the subject noted in the circle are expressed.
For example, if the circle in the middle was labeled “Develop an
Information Security Program” some of the thoughts that may come to
mind are policies, procedures, staffing, vulnerability testing, access con-
trol, business continuity planning, and strategy development. These could
form the spokes coming from the circle and then as the brainstorming
continued, more thoughts could be added. The word “staffing” may cause
expression of the words experience, certifications, education, years in the
industry, security tool knowledge, budgets, number of staff, and training.
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 18/24
Then the training spoke could be explored and the concepts of cost, train-
ing organization, type, prerequisites, tracking, and so forth could be
added to the training branch. A sample mind map is shown in Figure 2.4.
Figure 2.4 Strategy Mind Map example. (Created with Mind Mapping software, www.smartdraw.com.)
The power comes from obtaining multiple thoughts from different peo-
ple with different perspectives or vantage points of the issue being dis-
cussed. Many ideas can be captured in quick succession. As an experi-
ment, at a conference of IT auditors, each person was given 1 minute to
draw a mind map with at least 10 thoughts coming from the word “happi-
ness.” As one can imagine, happiness means many different things to
many different people. Amazingly, out of about 150 people in the room,
there were only a handful of matches, on concepts such as travel and chil-
dren. While some people matched on these commonalities, it was even
more alarming to see that few people even matched on those. The key
takeaway here is that even as experienced as the security officer may be,
he or she should recognize that the organizational knowledge, experi-
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 19/24
ence, and ideas contained in others needs to be understood. The mind
mapping tool is an excellent method of capturing the components that
should be addressed in an information security strategy. As a side note,
each chapter of this book started with the creation of a mind map to cap-
ture the starting point for the chapter.
SWOT Analysis
When businesses are embarking on a new business venture a SWOT
(strengths, weaknesses, opportunities, threats) analysis is typically used
to determine the organization’s current ability to compete in that market-
place. The process involves a facilitated brainstorming discussion
whereby a box is drawn divided into four quadrants (each representing
one of four dimensions of the SWOT acronym) and each of the quadrants
are then evaluated by the team. An example SWOT analysis for a security
program is shown in Figure 2.5. In practice much time is usually spent on
defining the strengths and weaknesses as these appear to be easier to
grasp as they tend to be based upon past observations of performance
within the organization. Opportunities require an understanding of items
that are more abstract, such as possibilities of the future without neces-
sarily being currently equipped to develop the product or service. Threats
are those actions that may serve to derail future plans or disrupt the ex-
isting environment.
Figure 2.5 Security program SWOT analysis example.
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 20/24
Applied to information security strategy development, the SWOT
process can illuminate areas where security could make a positive, proac-
tive impact to the organization (opportunity), but to date has not acted.
For example, creating and deploying an identity management system that
would ease the manual burden of submitting paper forms while provid-
ing faster access to the needed systems would benefit the business
process by making it more efficient. Other benefits could be added into
the security strategy such as the integration with the corporate help desk
ticketing system, enabling password resets, and reducing the number of
profiles by implementing role-based access. Each of these would repre-
sent an opportunity to the business.
In the aforementioned example, through the SWOT analysis it may be
determined that the skills are not available in-house to implement a com-
plex identity management product and resources from outside need to be
obtained. It may also be identified that it is not well understood what ac-
cess should be granted to what job function, making the construction of
accurate profiles difficult or that a role-discovery tool is needed to jump-
start the effort. Strengths may include project management expertise in-
house, knowledge of the existing processes, or the ability to receive excel-
lent pricing on the security software.
Balanced Scorecard
The balanced scorecard was developed by Kaplan and Norton and gained
popularity after the idea was published in the Harvard Business Review
(Kaplan and Norton, 1996). Essentially the balanced scorecard approach
encourages organizations to not only examine the financial measures of
profitability, but rather to also continuously examine the measurements
of how well the customer, process (quality), and learning perspectives are
being attained. Each of these processes eventually contribute to the finan-
cial measures and by focusing upon these other measures as well as the
financial measures, the overall financial profitability of the organization
will be improved.
Some organizations identify a few key measures such as growth in the
number of customers, nonconformance to processes, or the percentage of
staff that have acquired a new skill. Other organizations drive the bal-
anced scorecard concept to an individual employee level, whereby goals
are created for each employee and rolled up into higher-level goals (or
vice versa). In either case, the balanced scorecard provides a mechanism
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 21/24
to review the progress of the organization in meeting their goals. As man-
agement guru Peter Drucker noted, “If you can’t measure it, you can’t
manage it” (Drucker, 1993).
Security strategies can be developed using the balanced scorecard ap-
proach and building appropriate measures to track whether the cus-
tomer, quality, learning, or financial perspectives are being enhanced by
the security strategy.
Face-to-Face Interviews
Face-to-face interviews are not as formal as the other techniques, albeit it
can be very effective in understanding what is really important to the
management and technical staff in the organization. The security officer
schedules a 1-hour meeting with each senior management member, mid-
dle management, front-line supervisors, and a cross-section of end users
and key technical staff. In the first 20 minutes, the security officer dis-
cusses at a high level some of the information security concerns today
facing companies with respect to the confidentiality, integrity, and avail-
ability of information. It may be helpful to provide some statistical infor-
mation, new stories of events within similar industries, and some
specifics of events that have occurred with the company. This is then fol-
lowed with a brief 10-minute discussion of the functions of the informa-
tion security department and ways that the security department can help.
The next 30 minutes is then devoted to listening to the challenges of the
business area and identifying where the security area may be able to
help. Through this process, a champion or two for the security strategy
may emerge in addition to learning what the issues are. For example, it
may be learned that an executive is trying to reduce the costs per transac-
tion and that the facility costs are a major expense. He also indicated that
he does not want to incur the expense of maintaining another machine
for each individual. As a possible solution, he was thinking about a work-
at-home solution and did not know if this would increase the likelihood
that information would become exposed. As the security officer, this
should ring a bell that maybe a secure virtual private network (VPN) solu-
tion coupled with virtualization of the desktop may be a feasible
alternative.
Face-to-face interviews also serve to build rapport with key people
within the business. By just taking the step of demonstrating that the se-
curity department cares about their needs, concerns, and issues begins to
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 22/24
build the relationship. These are the same individuals that may be called
upon later to support the implementation of the strategy by the depart-
mental projects that are initiated.
Key to each of these techniques is to not try to determine the security
strategy without the input of the business leaders and appropriate techni-
cal staff. What may appear as an important security concern heard at a
security conference may not be the largest security concern facing the
business. The CEO may have some real concerns concerning brand image
at the moment, and an opportunity would be missed by not connecting
the security strategy to the needs of the CEO. Demonstrating how apply-
ing the proper security controls can protect the brand, for example,
would enable maturity of the security program.
Security Planning
Strategic, tactical, and operational plans are interrelated and each pro-
vides a different focus towards enhancing the security of the organiza-
tion. Planning reduces the likelihood that the organization will be reac-
tionary towards the security needs. With appropriate planning, decisions
on projects can be made with respect as to whether they are supporting
the long-term or short-term goals and have the priority that warrants the
allocation of more security resources.
Strategic
Strategic plans are aligned with the strategic business and information
technology goals. These plans have a longer-term horizon (3 to 5 years or
more) to guide the long-term view of the security activities. The process of
developing a strategic plan emphasizes thinking of the company environ-
ment and the technical environment a few years into the future. High-
level goals are stated to provide the vision for projects to achieve the
business objectives. This type of plan is the outcome from the top-down,
vision-driven approach to security strategy previously discussed and
shown in Figure 2.2. These plans should be reviewed minimally on an
annual basis or whenever major changes to the business occur, such as a
merger, acquisition, establishment of outsourcing relationships, major
changes in the business climate, or introductions of new competitors.
Technological changes will be frequent during a 5-year time period, so
the plan should be adjusted. The high-level plan provides organizational
guidance to ensure that lower-level decisions are consistent with execu-
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 23/24
tive management’s intentions for the future of the company. For example,
strategic goals may consist of
Establish security policies and procedures
Effectively deploy servers, workstations, and network devices to re-
duce downtime
Ensure all users understand the security responsibilities and reward
excellent performance
Establish a security organization to manage security entity-wide
Ensure that risks are effectively understood and controlled
Tactical
Tactical plans provide the broad initiatives to support and achieve the
goals specified in the strategic plan. These initiatives may include deploy-
ments such as the establishing an electronic policy development and dis-
tribution process, implementing robust change control for the server en-
vironment, reducing the likelihood of vulnerabilities residing on the
servers, implementing a “hot site” disaster recovery program, or imple-
menting an identity management solution. These plans are more specific
and may contain multiple projects to complete the effort. Tactical plans
are shorter in length, such as from 6 to 18 months to achieve a specific se-
curity goal of the company.
Operational/Project Plans
Specific plans with milestones, dates, and accountabilities provide the
communication and direction to ensure that the individual projects are
being completed. For example, establishing a policy development and
communication process may involve multiple projects with many tasks:
Conduct security risk assessment
Develop security policies and approval processes
Develop technical infrastructure to deploy policies and track
compliance
Train end users on policies
Monitor compliance
Depending upon the size and scope of the efforts, these initiatives may
be steps of tasks as part of a single plan or they may be multiple plans
managed through several projects. The duration of these efforts are short
term to provide discrete functionality at the completion of the effort.
3/17/23, 9:33 PM Chapter 2 Developing Information Security Strategy | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/013-9781466551282-002.xhtml 24/24
1.
2.
3.
4.
5.
6.
Traditional waterfall methods of implementing projects spent a large
amount of time detailing the specific steps required to implement the
complete project. Executives today are more focused on achieving some
short-term or at least interim results to demonstrate the value of the in-
vestment along the way (Fitzgerald, 2007). Demonstration of value along
the way maintains organizational interest and visibility to the effort, in-
creasing the chances of sustaining longer-term funding. The executive
management may grow impatient without realizing these early benefits.
Suggested Reading
Collins, J. 2001. Good to great: Why some companies make the leap and others
don’t. New York: HarperCollins.
National Conference of State Legistlatures. State Security Breach Notification
Laws.
http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNoti
Fitzgerald, T., Goins, B., and Herold, R. 2007. Information security and risk man-
agement. In Official ISC ® Guide to the CISSP CBK, H. A.Tipton and K. Henry, eds.,
9–17. Boca Raton, FL: Auerbach.
Kaplan, R. S., and Norton, D. P. 1996. The balanced scorecard: Translating strategy
into action. Boston: Harvard Business School Press.
Buzan, T., and Buzan, B. 1996. The Mind Map® book: How to use radiant thinking
to maximize your brain’s untapped potential. New York: Plume.
Drucker, P. 1993. The practice of management (reissue edition). New York: Harper
Business.
2
